Fighting Insider Threats Spotlighted at DEFCON Conference

At the upcoming DEFCON security conference, Fortify Software researchers will detail examples of insider attacks against real software systems, and what your business can do about it.

When insider data breaches hit, they hit hard.
Just recently, a former senior database administrator for
GEXA Energy was sentenced to a year in prison for illegally accessing,
copying and damaging a customer database two months after he was fired.
The act cost the company $100,000 in damages and former DBA Steven
Jinwoo Kim his freedom.

"The biggest driver we've seen for malicious insiders in the past 18
months has been the economic downturn," said Jacob West, who is
security research director at Fortify Software. "During a recession,
engineers see layoffs left and right and begin to fear for their own
job stability. This pressure can cause unethical insiders to plant
backdoors, logic bombs or other nefarious code that they believe will
allow them to steal funds, information or do other damage to the
company from the outside in the event that they are laid off."

All this makes understanding the techniques malicious
insiders use more important, and at the upcoming DEFCON 18 conference,
West and fellow Fortify researcher Matias Madou plan to address the how
and the why behind insider threats uncovered in actual software systems.
"We studied 18 categories (of attacks) in total, ranging from
leaking sensitive information outside of the company to disrupting the
execution of the code designed to support business processes," West
said. "In general, we found short, dense code fragments that could be
written in a couple of hours. However, our anecdotal conclusion is that
many of these attacks took months of planning the strategy implemented
by these relatively compact segments of code."
Most development organizations today make no effort to identify explicitly malicious code written by insiders, Madou added.
"If the attack is not so obviously destructive that it is identified
through typical quality and security assurance practices, then insiders
may plant attacks that lay dormant in a codebase for sometime," he
said. "You might find that piece of code by accident or when the
exploit is carried out, but that's a poor time to start the
investigation."

"By intelligently abstracting malicious behavior into key
indicators, we have been able to find multiple confirmed problems in
real code bases," West explained. "The key to an effective approach is
still a process for reviewing and safeguarding against malicious
insiders, but static analysis can and should be an integral part of
that process."
Still, detecting insider threats through technology alone can be
problematic. Administrators, after all, can often use their access
privileges to hide their behavior. As a result, a mix of technical and
non-technical solutions is needed.
"From a technical perspective, we can deter malicious insiders by
regularly informing developers that the company is actively looking for
insider threats," Madou said. "Non-technical prevention techniques
should be tackled by HR and management. From a detection stand-point,
the biggest advantage development organizations could give the
[vendors] is sharing anonymized examples of the malicious code they do
find so that we can continue improving detection capabilities to combat
the insider threat problem."
DEFCON will run from July 30 to Aug. 1 in Las Vegas.